Jump to content


Photo

GET POST Security


  • Please log in to reply
8 replies to this topic

#1 lloydthemidgetkicker

lloydthemidgetkicker
  • New Members
  • Pip
  • Newbie
  • 4 posts
  • LocationVancouver, WA

Posted 12 May 2006 - 07:34 PM


I'm trying to make one of my programs more secure, and I'd like to keep all GET and POST statements out of the URL. I'm pretty sure I have to tweak one of the php_ini settings, but I can't figure out which one. Anybody know how i can do this?

#2 wildteen88

wildteen88
  • Staff Alumni
  • Advanced Member
  • 10,482 posts
  • LocationUK, Bournemouth

Posted 12 May 2006 - 07:36 PM

Ok, POSTed data is not sent through the url. However GET data is. Now if you dont want your GET data in the url then use POST on your forms.

#3 lloydthemidgetkicker

lloydthemidgetkicker
  • New Members
  • Pip
  • Newbie
  • 4 posts
  • LocationVancouver, WA

Posted 15 May 2006 - 07:18 PM

When I am navagating by links instead of forms I need to use $_GET[] (I think) to determin which page I need to display. I thought there was a way to link with a variable, such as <a href='?page=a'>, without actually displaying the variable in the url. I believe it's a php_ini setting, but I can't seem to figure out which one. I use some $_POST in the program I'm writing, but sometimes it seems necessary to use $_GET.



#4 jeremywesselman

jeremywesselman
  • Members
  • PipPipPip
  • Advanced Member
  • 154 posts
  • LocationIndependence, KY

Posted 15 May 2006 - 07:51 PM

I am pretty sure that you cannot keep $_GET from posting the variables in the URL. That is why it is called $_GET. You are getting the variables from the URL. $_POST is posting the variables to the action page.

I don't believe that there is any way around this.

[!--coloro:#990000--][span style=\"color:#990000\"][!--/coloro--]Jeremy[!--colorc--][/span][!--/colorc--]

#5 alpine

alpine
  • Members
  • PipPipPip
  • Advanced Member
  • 756 posts
  • LocationNorway

Posted 15 May 2006 - 09:11 PM

if you filter all GET variables properly (and POST ofcourse) you shouldn't have to worry. You can also make yourself one-time selfexpire random keys to use along when you are navigating admin area, perform delete operations etc.

#6 _will

_will
  • Members
  • PipPip
  • Member
  • 25 posts

Posted 15 May 2006 - 09:51 PM

If you cannot get around passing variables in the GET, you can always [a href=\"http://us3.php.net/manual/en/function.bin2hex.php\" target=\"_blank\"]convert the values to hex[/a] and add or decrement an offset, or use the [a href=\"http://us3.php.net/base64_encode\" target=\"_blank\"]Base64 encoding[/a] so that the information in the URL looks like garbage to the user, but has a meaningful value to the web app.

#7 lloydthemidgetkicker

lloydthemidgetkicker
  • New Members
  • Pip
  • Newbie
  • 4 posts
  • LocationVancouver, WA

Posted 15 May 2006 - 11:03 PM

Thanks for the replies. I'm working on a project for my prof, so I'll tell him what you've told me.

#8 lloydthemidgetkicker

lloydthemidgetkicker
  • New Members
  • Pip
  • Newbie
  • 4 posts
  • LocationVancouver, WA

Posted 16 May 2006 - 01:13 AM

Ok, I'm glad I posted in the newb area, cause I feel like one now. I talked to my prof and what he really wanted was for me to find out how to keep session ids out of the URL. I've been reading about using session.use_only_cookies and looking for code examples. My prof also wants me to find out how to keep information from re-submitting if the user hits back and forward, and basically anything else that has to do with cookies and cookie security. Shouldn't be to difficult, but any code examples or links to info would help. Thanks

#9 .josh

.josh
  • Staff Alumni
  • .josh
  • 14,871 posts

Posted 16 May 2006 - 01:21 AM

well here's my 2 cents, one noob to another [img src=\"style_emoticons/[#EMO_DIR#]/laugh.gif\" style=\"vertical-align:middle\" emoid=\":laugh:\" border=\"0\" alt=\"laugh.gif\" /]

i guess it depends on what you are trying to prevent the user from doing when (s)he keeps clicking back and resubmitting. For instance, to prevent spamming, most message boards have a flood control option that basically keeps track of the last time someone posted and if they try to submit another post in (example) less than 30 seconds, it will not accept it (as in, not update relavent info into the database).

or i guess you could do an IP check, for random surfers. keep a log of IPs and timestamp of when info was submitted and then do a check on submit to see if the IP address was logged x amount of time earlier...

also you could check to see if the cookie already exists.

but actually i think a javascript solution might be better, seeing as how it is clientside...
Did I help you? Feeling generous? Buy me lunch! 
Please, take the time and do some research and find out how much it would have cost you to get your help from a decent paid-for source. A "roll-of-the-dice" freelancer will charge you $5-$15/hr. A decent entry level freelancer will charge you around $15-30/hr. A professional will charge you anywhere from $50-$100/hr. An agency will charge anywhere from $100-$250/hr. Think about all this when soliciting for help here. Think about how much money you are making from the work you are asking for help on. No, we do not expect you to pay for the help given here, but donating a few bucks is a fraction of the cost of what you would have paid, shows your appreciation, helps motivate people to keep offering help without the pricetag, and helps make this a higher quality free-help community :)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users